Possibility to add extra layer of encryption to make Restic exponentially safe?

Hi thanks for the wonderful backup tool - I have been using it for a few days and it works great (at least up to now)!

I wonder whether it is possible to add another layer of encryption besides Restic’s built-in encrypt? I believe Restic is safe, but we know every human makes mistakes (security bugs), and every year people are reporting new CVE vulnerabilities. Therefore, I hope to add one (or two) more level of encryption besides Restic, using encryption packages that is independent from each other. Then, it must be the case that all these software have bugs that the data is decrypted by the attacker. The probability is so small that I guess it is quite safe.

Ideally, it would be great to still preserve the incremental backup nature, so that network bandwidth and disk can be saved.

Thanks for any ideas!

Not really sure, if that is really something people should consider doing, as a lot of tools fallback to standard libs like openssl or gpg anyway, but sure, you could encrypt your data first and run restic backup on that. If you e.g. want to do that on a database backup, you could run a dump action, pipe it to openssl and pipe that to restic.

I don’t think that restic should implement something directly here, loose coupling is probably preferable.

encrypting before running restic is not a good idea. You’d lose all deduplication and compression possibility. Better to use an encrypted storage backend. I think rclone does support extra encryption so you might have a look at it.

Good point, if you store on a local disk, encrypting it e.g. via LUKS before storing the repo on it might be a good option as well.

I see. Thanks!